Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: TLS1.2 support for RSA-PSS certificates #4927

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: TLS1.2 support for RSA-PSS certificates #4927

wants to merge 1 commit into from

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Nov 22, 2024
edited
Loading

Release Summary:

Added TLS1.2 support for RSA-PSS certificates. Previously, RSA-PSS certificates could only be used with TLS1.3.

Resolved issues:

resolves #4804

Description of changes:

Supporting RSA-PSS certificates with TLS1.2 turned out to be as simple as just removing the TLS1.3-only restrictions. Previously, we specifically restricted RSA-PSS-PSS to TLS1.3.

Call-outs:

  • Is this a feature or a fix? 🤔

Testing:

I added a new end-to-end test to clearly assert that we support all certificates where we expect to.

I also updated the integration tests to use TLS1.2 + RSA-PSS. It's hard to tell that's working, so I dumped the output of a successful test_s2n_client_signature_algorithms run into a file and searched it. It looks like:

...
293: PASSED test_signature_algorithms.py::test_s2n_client_signature_algorithms[no-client-auth-rsa_pss_pss_sha256-RSA_PSS_2048_SHA256-TLS1.2-S2N-OpenSSL-ECDHE-RSA-AES128-GCM-SHA256]
293: PASSED test_signature_algorithms.py::test_s2n_client_signature_algorithms[no-client-auth-rsa_pss_pss_sha256-RSA_PSS_2048_SHA256-TLS1.2-S2N-OpenSSL-ECDHE-RSA-AES256-GCM-SHA384]
293: PASSED test_signature_algorithms.py::test_s2n_client_signature_algorithms[no-client-auth-rsa_pss_pss_sha256-RSA_PSS_2048_SHA256-TLS1.2-S2N-OpenSSL-ECDHE-RSA-CHACHA20-POLY1305]
...

The commands I ran, and the results:

$ cat signature_algorithms.out | grep ": PASSED " | grep pss_pss | wc -l
40

$ cat signature_algorithms.out | grep ": PASSED " | grep pss_pss | grep TLS1.2 | wc -l
28

$ cat signature_algorithms.out | grep ": PASSED " | grep pss_pss | grep TLS1.2 | grep s2n_client | wc -l
14

$ cat signature_algorithms.out | grep ": PASSED " | grep pss_pss | grep TLS1.2 | grep s2n_server | wc -l
14

$ cat signature_algorithms.out | grep ": PASSED " | grep pss_pss | sed 's/^.*-OpenSSL-\(.*\)\]/\1/' | sort -u
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CHACHA20-POLY1305
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

That looks correct to me, given the full set of ciphers:

$ cat signature_algorithms.out | grep ": PASSED " | grep "OpenSSL" | sed 's/^.*-OpenSSL-\(.*\)\]/\1/' | sort -u
AES128-SHA
AES128-SHA256
AES256-SHA
AES256-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CHACHA20-POLY1305
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TLS1.2 should support RSA-PSS certificates
1 participant
@lrstewart